EPIC Alert 23.24

EPIC Alert logo

1. EPIC Urges Supreme Court to Protect Online Privacy, Right to Read

EPIC has filed a "friend-of-the-court" brief in Packingham v. North Carolina, a US Supreme Court case about a North Carolina statute that bars access to certain websites. EPIC urged the court to strike down the law, which violates the First Amendment right to read and threatens internet privacy by encouraging state surveillance of online speech.

Under the North Carolina law, released sex offenders are barred from accessing any website that allows people under 18 to create profiles and communicate online. This includes not only social networks like Facebook and Myspace, but also major news websites like the New York Times and CNN.

In a brief joined by 35 technical experts, legal scholars, and civil liberties organizations, EPIC explained that the law violates the First Amendment right to receive information and censors vast amounts of speech unrelated to protecting minors.

"The state can no more criminalize what an individual chooses to read on a personal electronic device than it can restrict the contents of a home library: the privacy of both is sacrosanct," EPIC wrote. "It is difficult to conceive of a more brazen violation of the right to access ideas--or the right to be let alone--than this wholesale removal of works from an individual's digital library."

EPIC noted that "it is not just released offenders whose privacy and free speech suffer under the surveillance spurred by [the law]. Any person--adult or minor--who uses a 'commercial social networking Web site' may be subject to such monitoring."

"[P]lacing government in the role of permanent eavesdropper is highly corrosive to privacy and free expression on the internet," EPIC added. "Faced with the knowledge that a prying official may collect and scrutinize the contents of their personal profiles, individuals will inevitably trend towards greater self-censorship."

EPIC regularly files amicus briefs with the US Supreme Court on emerging privacy and civil liberties issues. EPIC previously argued for First Amendment privacy protections in Doe v. Reed, Watchtower Bible v. Stratton, and Patel v. Los Angeles.

2. European Court of Justice Holds that Data Retention Laws Violate EU Law

In a major privacy decision, the Court of Justice of the European Union has ruled that mandatory data retention schemes enacted by member states violate EU law.

The case involved challenges to data retention laws in Sweden and Britain. In a 2014 case, the CJEU struck down the EU Data Retention Directive, which had required telephone and internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. That previous case involved a Directive of the EU, while this latest case considered whether EU member states could legally enact their own data retention laws for the purpose of fighting crime.

The Court of Justice held that they could not. It found that subscriber data, which "contain information on the private life of natural persons," "may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time." The court further explained that fighting terrorism or crime is not, by itself, justification for indiscriminate, blanket data retention. The court also ruled that authorities who access retained data must notify the data subjects as soon as doing so would no longer jeopardize investigations.

EPIC has consistently opposed mandatory data retention. In 2013, EPIC President Marc Rotenberg addressed the European Parliament on the issue of electronic mass surveillance of EU citizens. EPIC currently has a petition pending before the Federal Communications Commission to overturn the FCC regulation requiring the retention of phone records of US telephone customers.

3. EPIC FOIA: Drone Industry Cozied Up to Public Officials

Documents obtained by EPIC reveal a steady line of communication between government officials and the drone industry leading up to the release of the government's drone policy.

According to the documents obtained through a Freedom of Information Act request, officials from the Commerce Department's National Telecommunications and Information Administration regularly communicated with private-sector members of the Small UAV Coalition, an industry trade group that includes Google, Amazon, and the Chinese drone company DJI. Among the uncovered emails is an invitation from the Small UAV Coalition to NTIA officials to attend a private party featuring the band, Ok Go.

The government's multistakeholder process has been criticized for undermining democratic institutions and giving industry lobbyists preferential access to government agencies. "[W]e do not believe that the NTIA process is likely to yield a set of privacy rules that offers adequate protections for the use of facial recognition technology," wrote a coalition of privacy advocates. "Therefore, at this point, we choose to withdraw from further deliberations."

EPIC advocated for enforceable privacy rules prior to deployment of commercial drones in the United States. After a multistakeholder process produced voluntary guidelines, EPIC sued the FAA. Congress in 2012 ordered the Federal Aviation Administration to issue "comprehensive" rules for drone use. EPIC and more than 100 organizations and experts subsequently urged the FAA to establish privacy protections prior to permitting widespread drone deployment, but the agency denied EPIC's petition. EPIC is now challenging the FAA's final rule. The case is pending before the Court of Appeals for the D.C. Circuit.

4. EPIC Hosts Curated CRS Reports on Cyber Topics

EPIC is now hosting select reports from the Congressional Research Service on its website. The CRS provides non-partisan reports to members of Congress and their staff, but many CRS reports have not been made publicly available despite their instrumental role in the legislative process. Recently, a number of reports were released to the public and EPIC has created a webpage hosting CRS reports on cybersecurity, surveillance, open government, drones, and other privacy-related issues.

The CRS does not make legislative or policy recommendations in its reports, providing only information and policy analysis. Members of Congress rely on this information and analysis when determining what legislation to adopt, reform, and repeal. Despite repeated and longstanding calls to make CRS reports accessible to the public, these efforts have largely failed. Recently, Demand Progress, a group focused on open government, gained access to more than 8,000 reports that had been produced by the CRS. In releasing the documents, the organization stated that "Congress must do better" in their efforts to be transparent with the public and about the legislative process. Reports that have not yet been made public are available to anyone with access to a Congressional computer network. However, until legislation is passed that allows the CRS to make all of the reports accessible to the public as they come out, access is limited to members of Congress and their staffers.

EPIC has long advocated for open government principles and strives to make documents relied on by federal decision-makers accessible to the public. EPIC regularly files Freedom of Information Act requests seeking to make internal government documents available to members of the public who request access to them. With its new webpage hosting CRS reports related to privacy, EPIC hopes to provide the public with insight into the legislative process and the basis on which important policy decisions are made.

EPIC Guide to New Year Privacy Resolutions

This January, consider adding to your list of New Year resolutions a few simple steps to protect your privacy in 2017 and beyond. To get you started on this important commitment, EPIC suggests a variety of items and services to help safeguard the privacy and security of you and your loved ones.

1. Virtual Private Networks

A virtual private network, or VPN, will protect your personal data while using public Wi-Fi networks and makes it harder for advertisers to track you online. PC Magazine breaks down the best VPN services of 2017 to help you choose the option that's right for you.

2. YubiKey

Don't want to see your e-mails show up on some internet forum? Tired of entering multiple codes every time you sign in? Do yourself a favor and get a physical two-factor authentication key from Yubico. Future generations will thank you.

3. Webcam Covers

Use these removable and reusable stickers to cover the camera lens on your smartphone, computer, and other connected device. It's a cheap and easy way to protect against creeps, criminals, and the NSA from secretly watching you.

4. RFID-Blocking Leather Wallet

Want to travel in style without breaking the bank? Try this genuine leather RFID-blocking wallet that keeps your cash and your cards in one place without easy access to skimmers.

5. Student Privacy Shields

Student privacy is a critical issue in today's classroom, and these student privacy shields are a fun way to protect kids' freedom of expression, creativity, and test answers.

6. Feline Privacy Shields

The "prive kitty litter screen" - a privacy shield for your cat - offers fashionable and functional privacy for the discerning kitty.

7. Aluminum Foil

Going to a protest? Planning the next great movement? Want to go off the grid for a few hours? Make a Faraday Cage the old fashioned way. Because sometimes they really are out to get you.

News in Brief

Obama Sanctions Russia for Election "Hack"

President Obama has sanctioned the Russian government for interference with the 2016 Presidential election. Obama stated, "These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior." Throughout 2016, EPIC pursued a campaign in support of data protection, contending that it was "the most important, least well understood issue" of the 2016 election. EPIC specifically warned that online voting systems were vulnerable to cyberattack. EPIC recently filed an expedited FOIA request with the FBI, seeking to determine why the agency was slow to respond to the attack on US democratic institutions by a foreign government.

EPIC Seeks FBI Records on Russian Interference in 2016 Presidential Election

EPIC has submitted an urgent Freedom of Information Act request to the FBI seeking records about the agency's response to the Russian interference in the 2016 presidential election. According to several reports, Russian hackers infiltrated computer systems of the Democratic National Committee and the Republican National Committee. The U.S. Intelligence Community has officially attributed the attacks on the Russian government, yet questions have been raised about the failure of the FBI to investigate the attacks on the political parties of the United States. Congress is expected to establish a Select Committee to investigate the matter. "The FBI," EPIC stated in the FOIA request, "is entrusted with protecting the cybersecurity of the public and its institutions. The American public, thus has a great interest in understanding the nature of the FBI's response to the Russian interference with the 2016 presidential election." EPIC is seeking expedited processing of the FOIA request. EPIC has recently filed a FOIA lawsuit against the FBI, regarding the expansion of "Next Generation Identification," one of the largest biometric databases in the world.

Center for Investigative Reporting: Uber Continues to Abuse Locational Data

A recent report from the Center for Investigative Reporting finds that Uber continues to allow employees broad access to rider location data, raising questions of whether the transportation service is violating the terms of a settlement with New York's Attorney General. According to the report, "Uber gave thousands of employees access to where and when each customer travels." Uber recently changed the terms of service and expanded the collection of users location data. Uber also faces legal action in Europe over whether it should be considered a transportation service or digital platform. In 2015, EPIC filed a complaint with the FTC, charging that Uber's plan to track users and gather contact details is an unlawful and deceptive trade practice. That complaint, like many other consumer privacy complaints, is still pending before the Federal Trade Commission.

The Verge Features EPIC FOIA Docs on Secret Profiling System

In a recent article, The Verge featured an EPIC Freedom of Information Act lawsuit about a controversial government data mining program, operated by the Department of Homeland Security. EPIC is seeking documents on the "Analytical Framework for Intelligence," a program that assigns "risk assessment" scores to travelers using data from sources including the Automated Targeting System, also operated by the DHS. Travelers "don't know how the scores are being generated and what the factors are," said EPIC FOIA Counsel, John Tran. "What if there's an error? Users should have an opportunity to correct the error, users should have an opportunity to understand what goes into generating the score." The case is currently pending before a federal judge in Washington, DC. EPIC expects to obtain more records on AFI. The FOIA case is also related to EPIC's ongoing work on "Algorithmic Transparency."

Rep. Sensenbrenner Warns Trump on EU-US Data Flows

Congressman James Sensenbrenner has sent a letter to President-elect Donald Trump urging him to retain Presidential Policy Directive 28, which governs domestic and foreign signals intelligence activity. The Directive requires the intelligence community to safeguard the personal information of all individuals regardless of nationality. Sensenbrenner noted that PPD 28 also serves as a foundation for the "Privacy Shield," a framework for commercial data flows between Europe and the United States. EPIC has urged the EU and US to strengthen safeguards for transborder data flows and is currently participating as amicus curiae in a legal challenge to Privacy Shield brought by privacy advocate Max Schrems.

Congressional Working Group Releases Encryption Report

The Congressional Encryption Working Group has released a year-end report. Two Congressional Committees formed the working group following the FBI's demand that Apple weaken cell phone security to provide access to encrypted data on an iPhone. The report, endorsed by both Republican and Democratic members of Congress, finds that "any measure that weakens encryption works against the national interest." The report also notes that encryption is a global technology, and suggests that Congress should "foster cooperation between the law enforcement community and technology companies" instead of seeking a "one-size-fits-all" solution. EPIC has advocated for strong encryption since its founding in 1994 and published the first comprehensive survey of encryption use around the world. Last year, EPIC filed a "friend of the court" brief in support of Apple's challenge in the FBI iPhone case. The EPIC amicus brief explained that encryption protects the owners of the approximately three million cell phones lost or stolen each year from criminal hacking, financial fraud, and identify theft.

EPIC Urges Amazon, Walmart, Target, and Toys "R" US to Stop Selling Toys That Spy

EPIC has joined the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy in letters to major U.S. retailers urging the companies to immediately discontinue sales of My Friend Cayla, an internet-connected doll that spies on young children. In December 2016, EPIC filed a complaint with the Federal Trade Commission against toymaker Genesis Toys and speech recognition firm Nuance Communications over "toys that spy" on children in violations of federal privacy laws. The letters from the consumer groups, sent to Amazon, Walmart, Toys "R" Us, and Target, urge the companies "to put the welfare of children first, and to cease sales of My Friend Cayla pending investigation and action by the FTC." Toy stores across Europe have already removed Cayla from their shelves and are offering refunds to parents who purchased the toys.

Data Stolen from Over One Billion User Accounts in Second Yahoo Data Breach

Yahoo has announced that data was stolen from over one billion user accounts in August 2013. The breach included names, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers. More than 150,000 U.S. government and military employees are among the victims. Yahoo's earlier breach drew wide-ranging concern from U.S. Senators to European privacy officials. EPIC testified in support of strong data breach notification laws in 2009 and 2011 (urging Congress to establish a short timeline for notification to users of breaches), launched the Data Protection 2016 campaign to make privacy a campaign issue, and recently filed an amicus brief to protect the ability of consumer to sue companies that fail to protect their personal information.

EPIC in the News

EPIC Bookstore

EPIC publications and books by members of the EPIC Advisory Board, distinguished experts in law, technology and public policy are available at the EPIC Bookstore.

Recent EPIC publications:

The Privacy Law Sourcebook 2016, edited by Marc Rotenberg (2016)

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

Communications Law and Policy: Cases and Materials, 5th Edition, by Jerry Kang and Alan Butler. Direct Injection Press (2016).

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

Privacy Law and Society, 3rd Edition, by Anita Allen, JD, PhD and Marc Rotenberg, JD, LLM. West Academic (2015).

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

Privacy in the Modern Age: The Search for Solutions, edited by Marc Rotenberg, Julia Horwitz and Jeramie Scott. The New Press (2015). Price: $25.95.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions

Contributors include: Steven Aftergood, Ross Anderson, Christine L. Borgman (coauthored with Kent Wada and James F. Davis), Ryan Calo, Danielle Citron, Simon Davies, A. Michael Froomkin, Deborah Hurley, Kristina Irion, Jeff Jonas, Harry Lewis, Anna Lysyanskaya, Gary T. Marx, Aleecia M. McDonald, Dr. Pablo G. Molina, Peter G. Neumann, Helen Nissenbaum, Frank Pasquale, Dr. Deborah Peel, MD, Stephanie E. Perrin, Marc Rotenberg, Pamela Samuelson, Bruce Schneier, and Christopher Wolf.

Upcoming Conferences and Events

January 25, 2017
EPIC International Champion of Freedom Award Ceremony
Brussels, Belgium

January 25 - 27, 2017
Computers, Privacy & Data Protection 2017
Brussels, Belgium

January 27, 2017
10th National Symposium on Tech Crime and Electronic Evidence
Alan Butler, EPIC Senior Counsel
Toronto, ON Canada

March 3, 2017
"Disruptive Technologies"
Marc Rotenberg, EPIC President
Stanford Technology Law Review
Stanford, CA

March 31 - April 1, 2017
WeRobot 2017
Yale Law School
New Haven, CT

June 5, 2017
2017 EPIC Champions of Freedom Awards Dinner
National Press Club
Washington, DC

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security